SSH密鑰分發

1.環境準備

[root@CentOS 7 ~]# cat /etc/redhat-release 

CentOS Linux release 7.2.1511 (Core) 

[root@CentOS 7 ~]# uname -r

3.10.0-327.el7.x86_64

[root@CentOS 7 ~]# getenforce 

Disabled

[root@CentOS 7 ~]# systemctl status firewalld.service 

● firewalld.service - firewalld - dynamic firewall daemon

   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)

   Active: inactive (dead)

[root@CentOS 7 ~]# ifconfig

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500

        inet 10.0.0.201  netmask 255.255.255.0  broadcast 10.0.0.255

        inet6 fe80::20c:29ff:fe40:1a4e  prefixlen 64  scopeid 0x20<link>

        ether 00:0c:29:40:1a:4e  txqueuelen 1000  (Ethernet)

        RX packets 79743  bytes 65986287 (62.9 MiB)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 54690  bytes 70448334 (67.1 MiB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500

        inet 172.16.1.201  netmask 255.255.255.0  broadcast 172.16.1.255

        inet6 fe80::20c:29ff:fe40:1a58  prefixlen 64  scopeid 0x20<link>

        ether 00:0c:29:40:1a:58  txqueuelen 1000  (Ethernet)

        RX packets 0  bytes 0 (0.0 B)

        TX packets 10  bytes 744 (744.0 B)

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536

        inet 127.0.0.1  netmask 255.0.0.0

        inet6 ::1  prefixlen 128  scopeid 0x10<host>

        loop  txqueuelen 0  (Local Loopback)

        TX packets 0  bytes 0 (0.0 B)

2.檢視SSH端口

[root@CentOS 7 ~]# netstat -lntup | grep sshd

tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1518sshd           

tcp6       0      0 :::22                   :::*                    LISTEN      1518sshd           

3.密鑰認證

3.1建立密鑰對

[root@CentOS 7 ~]# ssh-keygen -t rsa

Generating public/private rsa key pair.

Enter file in which to save the key (/root/.ssh/id_rsa):           ----密鑰對儲存路徑

Created directory '/root/.ssh'. 

Enter passphrase (empty for no passphrase):          ----為密鑰對建立密碼

Enter same passphrase again:                                 ----确認密碼

Your identification has been saved in /root/.ssh/id_rsa.

Your public key has been saved in /root/.ssh/id_rsa.pub.

The key fingerprint is:

7d:dc:8c:89:80:5d:79:97:6b:e4:2d:53:89:ba:d6:13 root@CentOS 7

The key's randomart image is:

+--[ RSA 2048]----+                          ----加密的位數為20048

|          ..  ...|

|       o .. ..+..|

|      . o  ..+ + |

|         o + E* .|

|        S o B.+o |

|           + o   |

|          .   .  |

|                 |

+-----------------+

3.2分發公鑰

[root@CentOS 7 .ssh]# ssh-copy-id -i /root/.ssh/id_rsa.pub [email protected]

The authenticity of host '172.16.1.63 (172.16.1.63)' can't be established.

ECDSA key fingerprint is 0b:bf:14:a7:9e:87:69:5d:7c:a5:25:b9:65:22:35:08.

Are you sure you want to continue connecting (yes/no)? yes                 

/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed

/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys

[email protected]'s password:             ----第一次分發公鑰，需要輸入密碼

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh '[email protected]'"

and check to make sure that only the key(s) you wanted were added.

3.3測試

[root@CentOS 7 ~]# ssh 172.16.1.63

Last login: Fri Mar 30 17:11:08 2018 from 10.0.0.1

[root@gitlab ~]# ifconfig

        inet 10.0.0.63  netmask 255.255.255.0  broadcast 10.0.0.255

        inet6 fe80::20c:29ff:feae:fb74  prefixlen 64  scopeid 0x20<link>

        ether 00:0c:29:ae:fb:74  txqueuelen 1000  (Ethernet)

        RX packets 9568  bytes 2809779 (2.6 MiB)

        TX packets 382  bytes 30216 (29.5 KiB)

        inet 172.16.1.63  netmask 255.255.255.0  broadcast 172.16.1.255

        inet6 fe80::20c:29ff:feae:fb7e  prefixlen 64  scopeid 0x20<link>

        ether 00:0c:29:ae:fb:7e  txqueuelen 1000  (Ethernet)

        RX packets 87  bytes 18256 (17.8 KiB)

        TX packets 88  bytes 21538 (21.0 KiB)

        RX packets 66294  bytes 49504554 (47.2 MiB)

        TX packets 66294  bytes 49504554 (47.2 MiB)

4.認證代理

4.1管理主機建立密鑰對（以上步驟）

4.2分發公鑰（以上步驟）

4.3管理主機啟動認證代理

[root@CentOS 7 ~]# eval `ssh-agent -s`

Agent pid 2994

4.4管理主機向agent代理伺服器注冊本地伺服器私鑰資訊

[root@CentOS 7 ~]# ssh-add

Identity added: /root/.ssh/id_rsa (/root/.ssh/id_rsa)

4.5管理主機将憑證資訊通過遠端登陸方式給被代理主機

[root@CentOS 7 ~]# ssh -A 172.16.1.63

Last login: Fri Mar 30 20:03:21 2018 from 172.16.1.21

4.6測試

[root@gitlab ~]# ssh 172.16.1.21

Last login: Fri Mar 30 20:08:27 2018 from 172.16.1.63

5.自動建立密鑰對，分發公鑰（Shell腳本）

#!/bin/bash

##############################################################

# File Name: ssh_fenfa.sh

# Version: V7.4

# Author: feng yu

# Organization: http://blog.51cto.com/13520761

# Created Time : 2018-03-30 20:13:36

# Description:

fil=/root/.ssh/id_rsa*

if [ $(ls $fil|wc -l) > 0 ];then

    rm -rf $fil

    ssh-keygent -t rsa -f /root/.ssh/id_rsa -P "" >> /dev/null 2>&1

else

fi

if [ $(rpm -qa sshpass|wc -l) -lt 1 ];then

    yum install -y sshpass &>/dev/null

for ip in 21 63

  do